Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

Firefox 8.0.1 bypasses Windows software restriction policy and Windows UAC

  • 2 wotmołwje
  • 19 ma tutón problem
  • 12 napohladow
  • Poslednja wotmołwa wot MichaelSteele

more options

With the release of Firefox 8.0.1, Firefox bypasses Windows Software Restriction Policy (SRP).

With Firefox 8.0.0 - (and previous), Firefox conformed to the policy set forth in SRP.

In addition to the fact that Firefox completely ignores Windows SRP, Firefox also ignores Windows User Account Control. Standard, non-admin, accounts are able to install Firefox without administrative privileges. When the user executes the Firefox installer, Windows UAC prompts the user to elevate to install the program. If the user clicks "no" the Firefox installer continues past UAC and installs the program in the user's %appdata%\local folder instead of the %programfiles% (if the user were to elevate). Any other program would have ceased the installation if not elevated.

I haven't seen any other software ignore SRP and continue to run and/or bypass UAC and continue to install.

Please advise on what software policy needs to be in place to prevent Firefox from being installed and ran on my domain.

With the release of Firefox 8.0.1, Firefox bypasses Windows Software Restriction Policy (SRP). With Firefox 8.0.0 - (and previous), Firefox conformed to the policy set forth in SRP. In addition to the fact that Firefox completely ignores Windows SRP, Firefox also ignores Windows User Account Control. Standard, non-admin, accounts are able to install Firefox without administrative privileges. When the user executes the Firefox installer, Windows UAC prompts the user to elevate to install the program. If the user clicks "no" the Firefox installer continues past UAC and installs the program in the user's %appdata%\local folder instead of the %programfiles% (if the user were to elevate). Any other program would have ceased the installation if not elevated. I haven't seen any other software ignore SRP and continue to run and/or bypass UAC and continue to install. Please advise on what software policy needs to be in place to prevent Firefox from being installed and ran on my domain.

Wot johndball změnjeny

Wšě wotmołwy (2)

more options

Alright, so I was testing some things in the lab. Firefox still ignores UAC elevation (this would solve the problem when it comes to installing the software) but now SRP is blocking Firefox... sometimes.

If I install Firefox then deploy an SRP with the HASH it will still open (even after the group policy for SRP has been applied to the comptuer).

If I install Firefox after the SRP is deployed Firefox gets denied by the SRP. This is both in the %programfiles% and %appdata%\local folders.

Any ideas on keeping Firefox from running past UAC?

more options

UAC prevents software from making system-wide changes without an administrator's consent. It's purpose isn't for IT staff to control which software may run, though most installers try to make their software available to all users on the computer.

Are you checking the hash of the installer instead of the executable? Firefox get's updated frequently enough that maintaining hashes will be a lot of work.

I haven't tried this, but perhaps populating user profile folders with a read-only path will cause the Firefox installer to fail. You'll also need to consider portable firefox